GDPR Questions Answered: Our Web App Could Store Data

With less than six months to go until the General Data Protection Regulation (GDPR) comes into force, Infosecurity has often found that there is still lots of uncertainty about achieving compliance. To help resolve this, data privacy offer and expert Steve Wright is joining us here to answer your questions.

Today, Steve was asked:

“Our web application is designed for website content, but it is possible that clients could store personal data in our system without our knowledge. Do we need to put a new terms of use in place to cover ourselves against this?”

Steve says:

“In principle, any web application that is not designed to collect personal data should be built in a way that prevents users from providing their personal data. The accidental collection of personal data is not advisable as it may trigger additional privacy and data protection obligations for you and your clients.

If it is not possible to prevent users from providing their personal data (e.g. because the web application is a legacy one), a terms of use should be displayed to:

Discourage users from providing their personal data (e.g. by saying that the web application is not meant to collect and process personal data)

Inform users about what would happen to the personal data provided accidentally (e.g. storage) and any action that would be taken on it (e.g. deletion, anonymization)

However, if challenged by the regulator, it would be difficult to be considered not responsible for the processing of personal data simply on the basis of the fact that there are terms of use discouraging users to provide their personal data.”